Skip to content
Home » Blog » Financial Management » Internal and external controls in European companies

Internal and external controls in European companies

The reliability of the financial results of a company is of great importance, as they represent an important information for financiers, banks, business partners, etc. The financial information shall reflect the true and fair view of the assets, liabilities, financial positions and profit or loss (based on the internal controls of the company) and shall be reviewed in an audit. Although non-financial performance indicators have gotten more important in recent years, financial data and the accuracy of financial figures still have a particularly high priority.

Two current prominent examples show that the existing audit regulations and supervisory authorities do not meet the requirements of a digital, global business. A reform of the audit system should therefore be started and implemented. But let us first take a look at the existing rules (with focus on Austria)

Responsibility for creating controls

Managing Directors

The Management Board is responsible for the establishment, design and application of an internal control and risk management system appropriate to the requirements of the Company.

In the Management report (Lagebericht) the Management has to report the following points to the public (valid for certain companies e.g. stocklisted companies):

  1. In the management report, it is recommended to include a Statement of the management on their responsibility for the establishment and design of an appropriate internal control and risk management system with regard to the accounting process and if applicable, on the objectives of financial reporting.
  2. The software used for accounting and reporting shall be named and an indication of the automated checks shall be given.
  3. In addition it should be reported, which financial information is made available to the key persons of the company, in particular that for those who perform the monitoring and controlling of proper accounting and reporting.
  4. The section “Control environment” should include a statement on the structural and procedural organisation in the area of accounting, including financial accounting. In particular, the ethical guidelines laid down in the company (e.g. Code of Conduct), the procedural rules for significant processes in accounting and financial reporting, as well as the organizational units set up in this area and their areas of responsibility.

Supervisory Board

The Supervisory Board is responsible for supervising the management and for making decisions on strategic decisions. In order to fulfil its duties, the Supervisory Board has a number of monitoring instruments at its disposal. Such as rights of information and inspection, reporting obligations of the management, transactions requiring approval.

External Controls

External Auditors

The primary function of a statutory auditor is to audit the accounts and reports of a company, in particular the annual or consolidated accounts prepared in accordance with the relevant regulations.

The complex services provided by an auditor therefore include, in addition to the audit of the annual financial statements, various types of special audits under company law in the event of reorganisations, the audit of prospectuses or creditworthiness, and the audit of compliance management systems. The functioning of the control and risk management system or the IT system is just as much a part of the auditor’s know-how as the optimal design of the accounting-related processes and procedures of a company.

Audit Supervisory Authority

The auditors are supervised by an Audit Supervisory Authority. The Audit Supervisory Authority (“APAB“) in Austria was established on 27 September 2016 as an independent institution under public law, free from directives, by the appointment of the Management Board. The APAB is under the legal supervision of the Federal Minister of Finance in Austria and deals with the supervision of auditors and audit firms and under which conditions they are entitled to carry out audits.

The tasks and powers of the authority include

  • Quality assurance and the related review
  • carrying out inspections of statutory auditors and audit firms, as well as of cooperative auditing associations and the Sparkassen-Prüfverband when auditing public interest entities (PIE)
  • keeping a public register of all statutory auditors and audit firms that hold a valid certificate
  • Monitoring the continuous training of auditors
  • Carrying out of needs-related studies
  • Supervision of PIEs with regard to compliance with audit-relevant obligations, if they are not already subject to the FMA (Finanzmarktaufsicht)

Additional supervisory authorities exist for banks, credit institutions and payment processors as an additional supervision is needed:

FMA (Finanzmarktaufsicht – financial market supervision in Austria)

The tasks of the FMA‘s supervisory system are governed by a range of individual laws, such as the Finanzmarktaufsichtsbehördengesetz (Financial Market Authority Act), Nationalbankgesetz (Nationalbank Act), Versicherungsaufsichtsgesetz (Insurance Supervision Act), Börsegesetz (Stock Exchanges Act) and the Kapitalmarktgesetz (Capital Market Act). In order to carry out these activities, two distinct approaches are required to the supervisory system – referred to as solvency supervision and market and conduct supervision.

Particular importance is also accorded to the statutory tasks of the supervisory system, such as dealing with unauthorised banking, insurance and financial services transactions, and taking preventive measures aimed at fighting money laundering and terrorist financing.

The three core departments of supervision of the Austrian financial market are the Banking Supervision department, the Insurance Supervision department and the Securities Supervision department.

Internal Controls

The Internal Control System (ICS) comprises all methods and measures implemented in the company,

  • which safeguards the assets of the undertaking
  • increases operational efficiency and thus profitability
  • ensures the reliability of the accounting and reporting system; and
  • ensures compliance with required business policies and legal requirements

The ICS describes control loops: who is responsible for a control loop (persons responsible), what type of control loop is involved (Person-assisted control loop or computer-aided control loop). Futhermore how often this control loop should be available for checking (frequency) and in which area the control loop is used.

With internal controls you can check:

  • Factual accuracy
  • Formal correctness
  • Completeness
  • Timely execution
  • Documentation
  • Traceability
  • Legal compliance

The control loops are needed to be documented for nearly all processes in a company.

Examples of personnel related questions of an Internal Control System are:

  • Is the deregistration and return of all items guaranteed upon exit?
  • Are presence checks monitored?
  • Are there employee appraisals?
  • Do secondary jobs have to be registered or approved?
  • Who monitors overtime?
  • Documentation of vacation days?
  • Are wage payments separated from payroll accounting?
  • etc

Internal Controls are to be audited by internal (and external) auditors.


There are a lot of supervisory authorities involved in order to ensure correct (financial) results of a company. Furthermore the obligation to set-up an functioning internal control system by the Management (that is audited by externals) should decrease the risk of wrong numbers.

But as we have seen currently (e.g. by a payment provider whose malversations obviously started in Asia – a region that is difficult for European auditors to audit, or at a bank in Austria, where several audits were carried out by external auditors) the existing regulations and maybe also the skills of the supervisory authorities need to be improved. Therefore, new audit regulations and new internal controls (or internal control systems) are needed in order to better respond to international, digital business models and to detect malversations. An external audit or supervisory body that does not find significant errors has no benefit. Contact us.

Related Links:

Leave a reply

Your email address will not be published. Required fields are marked *

Georg Tichy

Georg Tichy

Georg Tichy is a management consultant in Europe, focusing on top-management consultancy, projectmanagement, corporate reporting and fundingsupport. Dr. Georg Tichy is also trainer, lecturer at university and advisor on current economic issues. Contact me or Book a MeetingView Author posts